Skip to main content

Hackers reportedly used a tool developed by the NSA to attack Baltimore’s computer systems

Hackers reportedly used a tool developed by the NSA to attack Baltimore’s computer systems


EternalBlue was also used in the WannaCry and NotPetya attacks in 2017

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Cybersecurity Facebook crop

Since May 7th, the Baltimore’s city government has been dealing with a ransomware attack that has shut down everything from its email to the systems that allow residents to pay water bills, purchase homes, and other services. According to a report in The New York Times, the tool that has crippled the city is a National Security Agency creation called EternalBlue, which has been used in other high-profile cyberattacks.

According to security experts, hackers used EternalBlue, which exploits a vulnerability in certain versions of Microsoft’s Windows XP and Vista systems, allowing an external party to execute remote commands on their target. The tool was leaked by hacking group The ShadowBrokers in April 2017, and within a day, Microsoft had released a patch to fix the exploit. But patching a system doesn’t mean that those vulnerabilities are entirely closed: users must first apply the patch. Hackers using EternalBlue have since been responsible for several major cyberattacks, including Wannacry in May 2017, and the NotPetya attacks against Ukranian banks and infrastructure in June 2017.

However, on May 31st, Maryland Representative C.A. Dutch Ruppersberger told the paper that “I’m told it was not used to gain access nor to propagate further activity within the network.” The NSA didn’t comment to the Times regarding his statements.

The Baltimore attack is the latest instance of the use of this malware, and a recent report from WeLiveSecurity highlights that its use is increasing, especially against US targets. They found that “there are currently almost a million machines in the wild using the obsolete SMB v1 protocol,” and that that’s the result of “poor security practices and lack of patching are likely reasons why malicious use of the EternalBlue exploit has been growing continuously since the beginning of 2017, when it was leaked online.”

Baltimore’s computers were hit with the ransomware attack earlier this month, and city officials have said that they won’t pay (via The New York Times) the $76,000 ransom demand. The city has begun to implement some workarounds, manually processing real estate transactions and setting up a Gmail system for city workers, which Google initially shut down, but has since restored. In the meantime, The Baltimore Sun reports that the city’s IT department is working to restore access to the city’s systems while improving their security while they do so.

Update June 1st, 2019, 9:30AM ET: Updated to include followup comments from Representative C.A. Dutch Ruppersberger.